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(57) ABSTRACT 

The present invention discloses a central certificate man- 
agement system for thin client devices in data networks and 
has particular applications to systems having a large number 
of the thin clients serviced by a proxy server through which 
the thin clients communicate with a plurality of secure 
serveF computers over a data network. According to one 
aspect, the present invention provides a certificate manage- 
ment module that causes the server device to manage digital 
certificates for each of the thin client devices, lb minimize 
the latency of obtaining certificates for each of the thin client 
devices, the certificate management module reserves a fixed 
number of free certificates signed by a certificate authority 
and their respective private keys in a certificate database and 
frequently updates the free certificate according to a certifi- 
cate updating message. Whenever a user account is created 
for a thin client device, the certificate management module 
fetches one or more free certificates from the certificate 
database and associate the fetched certificates to the created 
account and meanwhile the certificate management module 
creates new free certificates with the certificate authority to 
fill in the certificate database. Apart from the tradition of 
obtaining certificates locally in client devices that normally 
have sufficient computing power, the present invention uses 
the computing resources in a server device to carry out the 
task of obtaining and maintaining certificates asynchro- 
nously in the proxy server and further. These and other 
features in the present invention dramatically minimize the 
demands for computing power and memory in thin client 
devices like mobile devices, cellular phones, landline tele- 
phones or Internet appliance controllers. 
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encrypted using the 
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If client digital ID is authenticated, 
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otherwise server denies the request, 



Once a session key is established, 
secure communications commence 
between the client and the server 
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CENTRALIZED CERTIFICATE enciyption, digital certificates provide a more complete 

MANAGEMENT SYSTEM FOR TWO-WAY security solution by assuring the identity of all parties 

INTERACTIVE COMMUNICATION DEVICES involved in a transaction through an open network. 

IN DATA NETWORKS The current architecture for using the digital certificates is 

5 binding between two computers, one being a client com- 

REFERENCE TO A "MICROFICHE APPENDIX" pyliet an ,j (he other being a server computer, on the Internet, 

Appendix A, which is a part of the present disclosure, is that . £ mcans bot *. computers physically hold their own 

a microfiche appendix entitled "Centralized Certificate Man- certificates, requiring a memory space to keep certificates. In 

agement System for Two-way Communication Devices in in case ; ° ne of certificates becomes invahd (expired, 

Data Networks" consisting of 2 sheets of microfiche having 10 revo ^d or no longer usable), the computer that owns the 

a total of 184 frames. The microfiche Appendix is a source mv ^i d certificate may acquire a new certificate from a 

code listing of one embodiment of the centralized certificate certificate issuing authority. However, the acquiring process 

managementsystemfortwo-wayinteractivecommunication generally takes a number of minutes and a significant 

devices over a wireless data network in the present „ amount of computing power. When a communication ses- 

invention, which is described more completely below. 15 slon between the two computers is established, the two 

„ , A . , „ , . , , computers authenticate each other by examining the coun- 

A portion of the disclosure of tins patent document ^ cer|ifica , e A k ^ created when the 

contains matend, that includes but is not tailed to, Appen- authentication ^ successful and a secure communication 

dices A, B and C, which is subject to copyright protection. ^ commences ^ the fe to , ^ 

The copyright owner has no objection to the facsimile M }atmu&m exchanging between me ^ enters. The 

reproduction by anyone of the patent document or the patent authentica|ion ocess ^ takes a signiflcant of 

disclosure, as it appears in the Patent and Trademark Office comoutine nower 
patent file or records, but otherwise reserves all copyrights 

whatsoever When the client computer is a small two-way communi- 

cation device such as a mobile computing device, a cellular 

BACKGROUND OF THE INVENTION phone, a landline telephone, or an Internet appliance 

controller, the above architecture is hardly applicable. To 

1. Field of Invention increase the portability and mobility, most of such two-way 
The present invention relates to data security between communication devices are designed small in size, light in 

server computers and client computers in data networks, and 3Q weight, low in power consumption and as economically as 

more particularly relates to systems for managing, in a proxy possible. Such designs, often considered as thin-client 

server computer, digital certificates for two-way interactive designs, result in a very limited computing power, typically 

communication devices over the data networks; wherein the equivalent to less than one percent of what is provided in a 

two-way interactive communication devices, such as mobile typical desktop or portable computer and the memory capac- 

devices, cellular phones, landline telephones and Internet ^ ity thereof is generally less than 250 kilobytes. That means 

appliance controllers, have generally limited computing that the thin client devices would not have extra memory 

resources such as computing power, memory and graphical spaces to store a number of certificates and the required 

display capability. computing power to acquire a new certificate in real time if 

2. Description of the Related Art one °f mc possessed certificates becomes invalid. There is 
A fast-growing trend on the Internet is electronic com- 40 mUS , a P at n " d for P rovidin g |»* *** clien,s with a 

merce. The electronic commerce is an integrative concept mechanism to effectively manage the certificates. 

designed to draw together a wide range of business support „ „„ „„ . „„ „ „„ 

services, trading support systems for c^mmodiu^, products, BRIEF DESCRIPTION OF THE DRAWINGS 

customized products and custom-built goods and services; and othcr features, aspects, and advantages of the 

ordering and logistic support systems; settlement support 4 S present mvention will become better understood with regard 

systems; and management information and statistical report- to ^ foUowing description, appended claims, and accom- 

ing systems, all via the Internet It is well known, however, drawings where: 

that the Internet is a wide open, public and international m „ A 

network of interconnected computers and electronic devices ™5. 1 illustrates, as an exemplary illustration, how the 

around the world. Hie ability to send and receive secure data 50 wrt * cates arc bwn S ™* bctwcen a cUcnt devicc and a 

becomes a fundamental requirement in conducting elec- merchant server; 

tronic commerce over the Internet. To transact business over FIG. 2 illustrates a schematic representation of a mobile 

the open network, a business or organization must have an data network comprising an airnet and a landnet, in which 

efficient and reliable manner to establish its identity and the present invention may be practiced; 

credibility to protect itself and its customers from imposters. 55 FI g. 3 illustrates a representation of the present invention 

Similarly, customers need assurance that their private infor- interacting with other parts or components in the data 

mation they may submit over the Internet can not be read by network' 

anyone but the business that they submit to. t^o^a j mt% j . * 1 • u- u 

"L „ . . «. . FIGS. 4Aand4B demonstrate an example in which a user 

One of the on-going efforts to ensure private communi- of a moMle devia . fe certificates ^ a useMpeciJleQ 

cations or business transactions between two authenticated 60 

parties is to use digital certificates to bind the identities of 

the two parties to a pair of electronic keys that can be used FIG - 5 depicts a block diagram of various components in 

to encrypt and sign digital information transmitted over the a certificate management module in the present invention; 

Internet. A digital certificate makes it possible to verify m ^ 

someone's claim that they have the right to use a given key, 65 FIGS. 6A and 6B illustrate an operation flowchart show- 

which helps prevent others from using phony keys to ing processes and procedures for managing certificates in a 

impersonate authorized users. Used in conjunction with server device for thin clients over a data network. 
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DETAILED DESCRIPTION OF THE key. In public key encryption, the public key is made 

INVENTION available to anyone who wants to correspond with the owner 

Notation and Nomenclature of the key pair. The public key can be used to verify a 

In the following detailed description of the present message signed with the private key or encrypt messages 

invention, numerous specific details are set forth in order to 5 that can only be decrypted using the private key. The 

provide a thorough understanding of the present invention. security of messages encrypted this way relies on the 

However, it will become obvious to those skilled in the art security of the private key, which must be protected against 

that the present invention may be practiced without these unauthorized use. 

specific details. In other instances, well known methods, The key pair in a certificate is bound to a user's name and 

procedures, components, and circuitry have not been 10 other identifying information. When installed in Hyper Text 

described in detail to avoid unnecessarily obscuring aspects Markup Language (HTML) browser, such as Netscape 

of the present invention. Navigator from Netscape Communication Inc. in California 

The detailed description of the present invention in the or Internet Explorer from Microsoft Corporation of 

following are presented largely in terms of procedures, Richmond, Wash., the certificate functions as an electronic 

steps, logic blocks, processing, and other symbolic repre- 15 credential that sites being contacted can examine. This 

sentations that resemble of data processing devices coupled sometimes enables digital certificates to replace password 

to networks. These process descriptions and representations dialogs for information or services that require membership 

are the means used by those experienced or skilled in the art or restrict access to particular users. For example, when o ne 

to most effectively convey the substance of their work to sends messages to a merchant web site, he signs the mes- 

others skilled in the art. The present invention is a central - 20 sages and encloses his digital ID to assure the rec ipientj of 

ized certificate management system for two-way interactive the message that the messag e was actuall y sent by him . 

communication devices in d ata networks^ The method along When the merchant receives digitally s igned mes sages^j he 

with the architecture to be described in detail below is a signer's digital ID is verined to determine that no lorgery o r 

self-consistent sequence of processes or steps leading to a false representation has occurred. G e nerally^ once a use r 

desired result. These steps or processes are those requiring 25 obtains a certificate, ne can set up his security-enhanced we b 

physical manipulations of physical quantities. Usually, or e-mail application to use the cert ifi cate automatically , 

though not necessarily, these quantities may take the form of FIG. 1 illustrates the authentication process using the digit al 

electrical signals capable of being stored, transferred, IDs between the client and the merchant server. 

combined, compared, displayed and otherwise manipulated The most secure use of authentication involves enclosing 

in a computer system or electronic computing devices. It 30 one or more certificates with every signed message. The 

proves convenient at times, principally for reasons of com- receiver of the message would verify the certificate using the 

mon usage, to refer to these signals as bits, values, elements, certifying authority's public key and, now confident of the 

symbols, operations, messages, terms, numbers, or the like. public key of the sender, verify the message's signature. 

It should be borne in mind that all of these similar terms are There may be two or more certificates enclosed with the 

to be associated with the appropriate physical quantities and 35 message, forming a hierarchical chain, wherein one certifi- 

are merely convenient labels applied to these quantities. cate testifies to the authenticity of the previous certificate. At 

Unless specifically stated otherwise as apparent from the the end of the certificate hierarchy is a top-level certifying 

following description, it is appreciated that throughout the authority, which is trusted without a certificate from any 

present invention, discussions utilizing terms such as "pro- other certifying authority. The public key of the top-level 

cessing" or "computing" or "verifying" or "displaying" or 40 certifying authority must be independently known, for 

the like, refer to the actions and processes of a computing example, by being widely published. In other words, a 

device that manipulates and transforms data represented as sender whose company is known to the receiver may need 

physical quantities within the computing device's registers to enclose only one certificate (issued by the company), 

and memories into other data similarly represented as physi- whereas a sender whose company is unknown to the receiver 

cal quantities within the computing device or other elec- 45 may need to enclose two or more certificates. For higher 

trooic devices. grade of security, it is a common practice to enclose just 

Introduction to Digital Certificates enough of a certificate chain so that the issuer of the highest 

A digital certificate or certificate, sometimes referred a s level certificate in the chain is well known to the receiver. If 

digital ID of Security certificate, is a piece ol information , there are multiple recipients, then enough certificates should 

o rjen storea as a text tile, to be used by the secure sockets 50 be included to cover what each recipient might need. 

.layer (SSL) p ro tocol to establish a secure c onnection The Preferred Embodiment 

' DeiweeirWo parties over an open data network. In the Referring now to the drawings, in which like numerals 

simplest iorm, a certincaie contains a public key and a name. refer to like parts throughout the several views. FIG. 2 

As commonly used, a certificate also contains an expiration illustrates a schematic representation of a data network 100 

date, the name of the certifying authority that issued the 55 in which the present invention may be practiced. The data 

certificate, a serial number, and perhaps other information. network 100 comprises an airnet 102 that is generally called 

Most importantly, it contains the digital signature of the wireless network and a landnet 104 that is generally a 

certificate issuer, i.e. an encrypted "fingerprint" that can be landline network, each acting as a communication medium 

used to verify the contents of the certificate. for data transmission therethrough. The airnet 102, in which 

A digital certificate, or simply certificate, is issued by a 60 the data transmission is via the air, is sometimes referred to 

Certification Authority (CA) and signed with the CA's as a carrier network because each airnet is controlled and 

private key. The most widely accepted format for digital operated by a carrier, for example AT&T and GTE, each 

certificates is defined by the CCITT X.509 international having its own communication scheme, such as CDPD, 

standard; thus certificates can be read or written by any CDMA, GSM and TDMA for the airnet 102. The landnet 

application complying with the CCHT X.509 standard. A 65 104 or the Internet, used interchangeably herein, may be the 

digital certificate uses public key encryption techniques that Internet, the Intranet or other private networks. Referenced 

are based on a pair of related keys, a public key and a private by 106 is one of the mobile devices that can be a mobile 
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device, a cellular phone, a landline telephone or an Internet 
appliance controller, capable of communicating with the 
airnet 102 via an antenna 108. It is ge nerally understood that 
the a irnet 102 communicates si multan eously with a plurali ty 
of two-way communication d evices, oi which only a mobile 
device 1U6 is shown in the figure. Similarly, connected to the 
Internet 104 are a plurality of desktop personal computers 
(PCs) 110 and a plurality of server computers 112, though 
only one representative respectively is shown in the figure. 
The PC 110, as shown in the figure, may be a personal 
computer SPL 300 from NEC Technologies Inc. and runs a 
HTML Web browser via the Internet 104 using HyperText 
Transport Protocol (HTTP) to access information stored in 
the web server 112 that may be a workstation from SUN 
Microsystems Inc. It is understood to those skilled in the art 
that the PC 110 can store accessible information therein so 
as to become a web server as well. Between the Internet 104 
and the airnet 102 there is a proxy server computer 114 
performing data communication therebetween. The proxy 
server computer 114, also referred to as link server or 
gateway server computer, may be a workstation or a per- 
sonal computer and performs mapping or translation 
functions, for example, mapping from one protocol to 
another, thereby the mobile device 106 can be in commu- 
nication with any one of the servers 112 or the PCs 110, 
respectively. 

One communication protocol used on the Internet 104 is 
the well known HyperText Transfer Protocol (HTTP) or 
HTTPS, a secure version of HTTP. HTTP runs on the 
Transport Control Protocol (TCP) and controls the connec- 
tion of a well known HyperText Markup Language Web 
browser, or HTML Web browser in the server 114, to the 
Web server 112, and the exchange of information therebe- 
tween. HTTPS supports SSL that is used mostly in secure 
and authenticated communications between the HTML 
browsers and web servers. A common notation in the HTML 
browsers is the use of "https" before a universal resource 
locator, or URL, which indicates that an SSL connection will 
be established. In an SSL connection one side, preferably the 
server side, of the connection shall have a certificate that 
must be authenticated by the counterpart side. Each side then 
encrypts what it sends out using information from either its 
own, the other side or both side certificate, ensuring that only 
the intended recipient can decrypt it, and that the other side 
can be sure the data come from the place it claims to have 
come from, and that the message has not been tampered 
with. 

The communication protocol between the mobile device 
106 and the proxy server 114 via the airnet 102 is Handheld 
Device Transport Protocol (HDTP), or Secure Uplink Gate- 
way Protocol (SUGP), which preferably runs on User Data- 
gram Protocol (UDP/and controls the connection of a 
HDML Web browser, in the mobile device 106, to the proxy 
server 114, where HDML stands for Handheld Device 
Markup Language. HDML, similar to that of HTML, is a tag 
based document language and comprises a set of commands 
or statements specified in a card that specifies how infor- 
mation displayed on a small screen of the mobile device 106. 
Normally a number of cards are grouped into a deck that is 
the smallest unit of HDML information that can be 
exchanged between the mobile device 106 and the proxy 
server 114. The specifications of HDTP, entitled "HDTP 
Specification" and HDML, entitled "HDML 2.0 Language 
Reference" are enclosed and incorporated herein by refer- 
ence in its entirety. The HDTP is a session-level protocol 
that resembles HTTP but without incurring the overhead 
thereof and is highly optimized for use in thin devices that 
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have significantly less computing power and memory. Fur- 
ther it is understood to those skilled in the art that the UDP 
does not require a connection to be established between a 
client and a server before information can be exchanged, 

5 which eliminates the need of exchanging a large number of 
packets during a session creation between a client and a 
server. Exchanging a very small number of packets during a 
transaction is one of the desired features for a mobile device 
with very limited computing power and memory to effec- 

10 lively interact with a landline device. 

The mobile device 106 comprises a display screen 116 
and a keyboard pad 118. The hardware components includ- 
ing a microcontroller, a ROM and a RAM in the mobile 
phone 106 are known to those skilled in the art and so the 

15 hardware components are not described in detail herein. 
With the display screen 116 and the keypad 118, a user of the 
mobile device 106 can interactively communicate with the 
proxy server 114 over the airnet 102. According to one 
embodiment, one portion of the compiled and linked pro- 

20 cesses of the present invention are stored in the ROM as a 
client module that causes the mobile device 106 to operate 
with the proxy server 114. Upon activation of a predeter- 
mined key sequence utilizing the keypad 118, the micro- 
controller initiates a communication session request to the 

25 proxy server 114 using the client module in the ROM. Upon 
establishing the communication session, the mobile device 
106 typically receives a single HDML deck from the proxy 
server 114 and stores the deck as cached in the RAM. As 
described above, an HDML deck comprises one or more 

30 cards and each card includes the information required to 
generate a screen display on the display screen 116. The 
number of cards in a card deck is selected to facilitate 
efficient use of the resources in the mobile device 106 and 
in the airnet network 102. Generally, on e of the cards is, a 

35 choice card shows a sequence ok irequentiy visited web site s 
and allows the user to c hoose one to make a secure and 
autnenucated communication session with through th e 
proxy server 114. Hie JMocesri 6f Using certificates to estab- 
lish such communication session will be described below. 

40 Referring now to FIG. 3, there is depicted a representation 
of the present invention interacting with other parts or 
components in the data network. Referenced by 302, 304 
and 306 are three representatives of a plurality of the mobile 
devices coupled to the airnet 102, similarly referenced by 

45 310, 312 and 314 are three representatives of a plurality of 
landline devices coupled to the landnet 104. The proxy 
server device 128, which can be the one 114 in FIG. 2, 
couples the airnet 102 to the landnet 104, therefore any 
mobile devices can communicate with the landline devices 

50 via the airnet 102, the proxy server 114 and the landnet 104. 
To facilitate the description of the present invention, the 
internal block diagrams of the mobile device 302 and the 
link server 114 are respectively illustrated. Other processes 
and hardware are known to those skilled in the art and are 

55 not illustrated in detail in the figure for clarity. 

Each of the mobile devices, such as the one 302, is 
assigned to a device ID 316. The device ID 316 can be a 
phone number of the device or a combination of an IP 
address and a port number, for example: 

60 204.163.165.132:01905 where 204.163.165.132 is the IP 
address and 01905 is the port number. The device ID 316 is 
further associated with a subscriber ID 318 authorized by a 
carrier in the proxy server 114 as part of the procedures to 
activate the mobile device 302 by establishing a user 

65 account 324 in the proxy server 114. The subscriber ID 318 
may take the form of, for example, 861234567-10900_ 
pn.mobile.att.net by AT&T Wireless Service. The subscriber 
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ID 318 is a unique identification of the mobile device 302. invention maintains the certificates in a user account in the 

In other words, each of the mobile devices 302, 304 and 306 proxy server. Managing certificates in a proxy server for all 

has its own unique device ID that corresponds to a sub- clients makes it possible for the clients to access any secure 

scriber ID indexing a respective user account in the proxy web sites without demanding additional computing power 

server 114. The following description is based on the mobile 5 and memory. Other advantages will be further appreciated in 

device 302 and the associated account 324, it will be the description below. 

appreciated by those skilled in the art that the description is The certificates are issued by a CA that can be any trusted 

equally applied to a plurality of the mobile devices in central administration willing to vouch for the identities of 

communication simultaneously with the proxy server 114. those to whom it issues certificates and their association with 

The account 324. indexed by the device ID 316 or the 10 a given key, for example, a company or a university may 

s ubscriber ID 318 and id entifi ed fay an address identifi er issue certificates to its own employees or its students. To 

such as a l)KL, is a data structure comprising user int o J22, accommodate the need of the mobile device 302 to obtain 

rcertificate list 320 and a private key list 326, wherein th e certificates from a CA other than the one that the CMM 342 

u ser info 22 includes the account configuration and othe r uses to get the free certificates from, the server module 340 

a ccount related information, such as use mam e and pa ss- 15 allows the user thereof to log onto the user account 324 

word. T he URL of the account may take tne torm ot,~for associated to the mobile device 302 through any computers, 

example, www.att.com/Pocketnet, which indicates that the for example, a PC 314 coupled in the landnet 104. This is 

airnet 102 is operated by AT&T wireless service. The acc omplished by logg ing onto the user account 324 usin g 

certificate list 320 contains or points to a list of designated tne address laentiner ot the user account 32 4, for exam ple: 

certificates issued by one or more CAs and the private key 20 www.att.com/Pock etnTt. To ensure that the account 324 i s 

list 326 contains a list of keys, each corresponding respec- accessed py an authorized user, a set ot credenti al 

tively to each certificate in the certificate list 320. All information, such as a usemame and password, is required . 

certificates in the ce rtificate list 320 are ex clusively assocT- The server module 34U through the HiTF module 330 will 

a ted with the particular" acc oun t. Generally the proxy server prompt for the usemame and password when the user 

114 maintains a large number ot such user accounts, prel - 25 connects the PC 314 to the URL using http://www.att.com/ 

erably kept in a database 328, each of the user accounts i s Pocketnet. Entries of a pair of matched usemame and 

respectively associated to each ot the mobile devices thaTaT e password will be granted the permission to access the 

s ubscribed with the same carrier and serviced by the prox y account. 

s erver 114 . It can be appreciate d th at the certificates m o ne To provide flexibility and security to the account, the 
account are different from those in other accounts because o f 30 usemame and,password are fully administrated by the user. 
the respective association of the certificates with each ollh e The user of the mobile device 302 can access the device's 
accounts therein.^ account 324 in the proxy server 114 using the mobile device 
~ It has been described that it takes a noticeable length of 302 that is equipped with a HDML browser. Knowing J he 
time in a regular full-power desktop computer to obtain a URL of the account, the user depresses a predetermined ke y 
certificate from a CAand generate a pair of keys; private and 35 To cause the client module 332 to send a request comprisin g 
public keys therefor. To minimize the latency of obtaining a the URL and the device ID 316 to UDP interface 336 th at 
certificate with a mobile device, a certificate manager mod- subsequently establishes a communication session to th e 
ule (CMM) 342 maintains a certificate database, preferably proxy server 114 using theUDTF. 'ine request is received by 
in the database 328, to reserve a list of undesignated but the corresponding UDP interface 128 in the proxy server 114 
issued certificates, referred to as free certificates, from one 40 and carried out by the server module 340 to see if the device 
or different CAs. Whenever a user account is created to ID is authorized. The proxy server 114 then acknowledges 
activate a mobile device that requires one or more certifi- the request with a response sent to the mobile device 302 for 
cates to access certain web servers requi r^ fi a certificate, a usemame and password. It should be noted that the respons e 
certificate req uest (c ert Request) signal is sent to the CMM does not request from the user a pair of usemame an d 
341 to fetcn needed certi ficates from the certificate database . 45 password to permit an access to the account, in fact t he 
Cfpon receiving tne retched certificates from the certificate p ermission to access to the acc o unt has been ftrantecTb y 
database, the CMM 342 assigns the certificates to the matching the device 111) Sib in tne~request from the mobil e 
particular account by attaching the device ID 316 and other device 30^ and the stored device ID of the account 320 in th e 
account information, hence the fetched certificates become proxy server ll4. in stead, the response allows the user to 
associated to the particular account and are placed in the 50 self-provision the account by entering a pair of new user- 
certificate list 320. Meanwhile the CMM examines the name and password. Once the account 320 receives the pair 
number of the free certificates available in the certificate of new usemame and password, the account, i.e. the user 
database, if the number is below a value, for example 200 info 322, is updated. After the self -provisioning procedure, 
certificates, referred to as threshold, the CMM calls the the user may use the PC 314 which has preferably a 
HTTP module 330 to establish a connection to the appro- 55 sufficient computing power and equipped with a more 
priate CAvia the landnet 104 to obtain new free certificates familiar HTML browser to establish a communication ses- 
to fill up the certificate database till the level of the threshold sion using HTTP and the URL to the account. The newly 
is reached, as such there are always sufficient free certifi- provisioned usemame and password are entered in the PC 
cates available in the certificate database to supply any new 314 when prompted and sent over in a packet format to the 
accounts with the ready-to-use free certificates. 60 proxy server 114 using HTTP in which the HTTP server 330 
It can be now appreciated by those skilled in the art that extracts the usemame and password and the server module 
the present invention uses the computing power in a proxy 340 performs an authorization check with the user info 322 
server to carry out the task of obtaining certificates in the memory. If the entered usemame and password are 
asynchronously, apart from the tradition of obtaining cer- matched, the authorization is granted so that the user or the 
tificates in local devices that normally have sufficient com- 65 PC 314 is permitted to access the account 324. The user can 
puting power, and further, unlike the tradition of physically now request a certificate from a specified CAand updates the 
storing the certificates in the local devices, the present certificate list 320 and the key list 326. The process of 
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obtaining a certificate from a CA using an HTML browser identified by www.financial.com. Generally, the certificate 

is known to those skilled in the art and therefore is not to be 382 acquired by the CMM 342 is a generic one acceptable 

described herein. It can be appreciated that, besides the to many web sites and not associated with a particular URL. 

capabilities provided by the CMM, the self-provisioning In other words, the certificate table 368 may have a number 

capability allows a user to tailor the certificates to his own 5 of special certificates, such as referenced by 376, 378 and 

needs while still relying on the proxy server to keep all the 380, specifically requested by the user and one or more 

certificates designated to the mobile device 302. generic certificates, such as referenced by 382, automatically 

Based on FIG. 3, FIGS. 4A and 4B demonstrate an acquired by the CMM 342. 

example in which the user of the mobile device 302 requests FIG. 5 illustrates a block diagram of various components 

certificates from user-specified CAs. After a predetermined 10 in the CMM 342. As described above, the CMM maintains 

key is pressed, the mobile device 302 uses HDTP to make a fixed number of free certificates in the certificate database 

a request to connect to the proxy server 114 using the URL and starts to get new certificates through the HTTP server 

of the account designed to the mobile device: 30286123456- 330 from the CA as soon as the number of the free 

10900_4>n.mobile.xyz.net. The device ID 86123456-10900 certificates in the certificate database becomes lower than 

is extracted from the request and verified that there is an 15 the threshold. Referenced by 402 is a certificate engine that 

account 324 indexed by the same device ID 86123456- manages the operations of other components in CMM 342. 

10900. Upon the verification, the user of the mobile device When the mobile device 302 is activated, the account thereof 

302 is prompted for a set of username and password. It has is requested to load with one or more certificates. After a free 

been described that username and password are not the certificate is fetched from the certificate database and upon 

required information for the mobile device 302 to access the 20 detecting that the number of available free certificates in the 

account 324, rather the user is given a permission to admin- certificate database below the threshold, the engine 402 

istrate the username and password. If the user does not enter triggers the distinguished name generator 404, or DN 

any new username and password, the username and pass- generator, to generate a unique distinguished name for a new 

word in the user account 324 stays the same. If the user certificate to be created. 

enters a set of new username and password, for example; 25 The distinguished name is the standard form of naming in 
username -"smith", and the password-" 123456", the the CCITTX.509 standard. A distinguished name comprises 
account 324 is updated with the new username and pass- one or more relative distinguished names, and each relative 
word. The user can now go to any computer in the landnet distinguished name is comprised of one or more attribute- 
104 to manipulate the account 324. The P£ 314 is equippe d value assertions. Each attribute-value assertion consists of 
with a HTM L browser providing a tun graphical use r 30 an attribute identifier and its corresponding value 
~interfac e"lnat allows the user to manipulate the account 324 information, e.g. CountryName-US, Organization-XYZ, 
mucn more efficie ntly. H ie PC 314 establishes an HTTP Inc. or OrganizationUnit-XYZ Service Division. The use of 
connection USing the URL, for example, mobile.xyz.net, of the distinguished names is intended to identify entities in a 
the gateway 354 in the server module 340 to aU the user X.500 directory tree that is now being used to implement 
accounts in the proxy server 114. The user is prompted at the 35 "white pages" for the Internet — a directory of people, 
PC 314 for a set of username and password. The user must computers, services, and electronic mail addresses. The 
enter "smith" for the username and "123456" for the pass- directory is organized hierarchically: international organi- 
word to get through the gateway 354. Upon receiving the zations and countries are at the top; countries are subdivided 
entered username and password, the gateway 354 compares into states or provinces, which in turn are subdivided in 
them with the ones in the account 324. If there is a mismatch, 40 various ways. Arelative distinguished name is the path from 
the PC or the user is not permitted to access the account 324. one node to a subordinate node of the directory tree. The 
If the entered username and password match the ones in the entire distinguished name traverses a path from the root of 
account 324, the gateway 354 grants permission to the PC the tree to an end node that represents a particular entity. A 
314. The user of the PC 314 can now use the HTML browser goal of the directory is to provide an infrastructure to 
to request special certificate from a special CA 358 by 45 uniquely name every communication entity in the Internet, 
providing a URL thereof and place the certificate the account hence the "distinguished" in the distinguished name. 
324 for the mobile device 302 to use. To ensure that the distinguished name generated by the 
According to one embodiment of the present invention, distinguished name generator 404 is associated eventually 
the certificate list may be implemented as a pointer to a with a user account, the distinguished name prefix generator 
certificate table 368. As is shown in FIG. 4B, it can be 50 406 generates a prefix for the distinguished name. The prefix 
appreciated to those skilled in the art that the use of pointer is generally a concatenation of a timestamp and a subscriber 
provides flexible capacity of the certificate list. The certifi- ID, for example, 861765228-9, wherein the timestamp indi- 
cate index 370 provides a space to store all the certificates cates when the certificate request is made and the subscriber 
and the corresponding URL list 372 associated URL for the ID is to be assigned to a mobile device when it is activated, 
specially requested certificates in the certificate index 370. 55 With the prefix from the distinguished name prefix generator 
There are a few service web sites that accept certificates 406, the distinguished name generated from the distin- 
from certain CAs. For example, a financial web site identi- guished name generator 404 must be unique. In order words, 
tied by www.financial.com only takes certificates signed by each of the free certificates in the certificate database has its 
CA SI. By self -provisioning the account, the user can own name and all the names must be distinguished, 
specifically request the certificate from CA SI and place the 60 The Certificate Engine 402 then invokes the key pair 
certificate in the certificate table 368. In a later use, the generator 412, or KP generator, to generate a pair of public 
mobile device 302 sends a request to establish a connection and private keys. It does so by using a set of library functions 
to wwwiirianciaLcom. When the request comprising www- which generates the private key based on the public key that 
.financial.com is received in the proxy server device 114, the is generated with supplied seed information. To conform to 
URL is used to retrieve the corresponding certificate, the 65 the industry standard, the set of library used in the key pair 
certificate by CA SI in this case. Along with the certificate generator 412 is supplied by RSAData Security, Inc. having 
by CA SI, the mobile device 302 can access the web an address of 100 Marine Parkway, Suite 500, Redwood 
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City, Calif. 94065. The generated keys are generally in the make sure the signer's certificate has not been revoked, 

form of a sequence of binary numbers, such as Whether it is worm the time to perform this check depends 

1110101100001 . . . 00101 and unlikely to be duplicated on the importance of the signed document The CRL is 

without knowing the source to generate them. To generate a maintained by the CA and provides information about 

pair of unique private and public keys, a random number, as 5 revoked certificates that were issued by the CA. The CRL, 

the source, must be provided according to the set of library however, only lists current valid certificates, since expired 

It is understood to those skilled in the art that there are many certificates should not be accepted in any case; when a 

ways to get the random number One of the commonly used revoked certificate is past its original expiration date, it is 

methods is to generate the random number through a one- removed from the CRL. Although a CRL is maintained in a 

way hash function from a noise source that may be hard- 10 distributed manner, there may be central repositories for a 

coded or from network traffic information. The one-way CRL> that is, network sites containing the latest CRLs from 

means that it is significantly easier to perform in one many organizations. 

direction (the forward direction) than in the opposite direc- The certificate library 408 receives such CRL and informs 

tion (the inverse direction), which makes it unlikely to the certificate engine 402 to take action when any certificates 

derive the private key from the public key. One example of 15 maintained by the CMM 342 is in the list. It is described that 

such hash functions is to multiply a value itself a certain the CMM 342 maintains a certificate database housing a 

number of times and followed by a modulo operation, fixed number of free certificates. When the CMM 342 

The certificate engine 402 creates a new entry for the associates a certificate from the certificate database to a user 

certificate in the certificate database and the corresponding account, the associated certificate must be valid. This is 

private key from the key pair is stored in the new entry, 20 guaranteed by first consulting with the CRL through the CS 

meanwhile the certificate engine 402 uses the generated library 408. If a fetched certificate from the certificate 

distinguished name and the public key obtained from the key database is somehow on the CRL, the fetched certificate is 

pair generator 412 to generate a certificate signing request or discarded and a next certificate is fetched from the certificate 

CSR, The CSR is a public standard format for requesting database. A check-up of the fetched certificate with the CRL 

certificates from a CA. The CSR contains, among other 25 is always performed in the CS library 408 before the fetched 

things, the public key that is to be certified by the CA and certificate is associated to the account. It is understood to 

the distinguished name associated with the public key. The those skilled in the art that the check-up with the CRL may 

CSR is a binary block of data packaged in a certificate be performed by an exhaustive comparison. The time or 

request in a standard form that is then sent to the CA through computation it takes to do the check-up regardless of the 

the HTTP module 330 using HTTP. 30 length of the CRL is affordable as alt are being carried out 

Upon receiving the certificate request, the CA verifies the in the proxy server 114 asynchronously with the mobile 

supplied information therein and attests to the validity of the device 416. 

user's public key along with other information by signing According to one embodiment of the present invention, 

the certificate. The CA then issues a certificate response, the source code listing in the appendix demonstrates opera- 

which may contain the signed certificate or an error. If the 35 tions in the CMM. The main( ) function creates a 

certificate response contains an error, that means the certifi- TCertEngine object and calls initialized by a function named 

cate being requested fails, a new process must be restarted. Initialize which creates the necessary threads to service 

When the certificate response comes back from the CA, the HTTP client based requests. It also creates threads that 

certificate engine 402 extracts the distinguished name from monitor certificates in the certificate database. When the 

the received certificate and updates the corresponding entry 40 thread is created it monitors available resources and calls 

in the certificate database through the certificate storage GenerateCert in TCertHttpProto to create certificates. This 

library 408, At this point that entry contains the signed thread uses TDBCertPool to create a new entry in database 

certificate which has the public key embedded in it and the for the certificate pool. 

corresponding private key, which has been referred to as the The function GenerateCert gets a new Distinguished 

free certificate. 45 Name from the Distinguished Name Generator. It also gets 

When the mobile device 302 is activated, a request is a new public/private key pair from the Key Pair Generator, 

submitted for creating a certificate for the device. The GenerateCert used this information to construct a CSR. It 

certificate engine 402 fetches a free certificate from the then issues a request to a CA over HTTP using SendCSR 

certificate database and associates it with the device ID. The method in THttpCertRequest When the certificate response 

association is performed by making an entry in a separate 50 comes back from the CA, it updates the entry in the free pool 

temporary table called device_cert_map__tbl, preferably in using TDBCertPool. 

a RAM of the proxy server 114. When a free certificate needs to be associated with a user 

The certificate storage (CS) library 408, or CS library, is account, the HandleCreateCert method in TCertCreateCall- 

used to administrate the certificate database and from time to back is invoked. This method extracts a new certificate from 

time receives certificate revocations lists from CAs. A cer- 55 the free certificate pool using functions in TDBCertPool, 

tificate revocation list (CRL) is a list of certificates that have The method then calls functions in TDBDeviceMap to make 

been revoked before their scheduled expiration date. There a new entry in the device_cert__map tbl. It then returns a 

are several reasons why a certificate might need to be response to the caller. The Reissue r thread, 

revoked and placed on a CRL. For instance, the key speci- TCertReissueThread, calls ReissueCert in TCertHttpProto to 

tied in the certificate might have been compromised, or, the 60 have certificates reissued. It calls methods on TDBCertPool 

user specified in the certificate may no longer have authority to TDBDeviceMap to revoke certificates in the free pool and 

to use the key. To be more specific, a user name associated those that are associated with the device, 

with a key is "Mr. Smith, Vice President, XYZ Corp/' If Mr. FIGS. 6A and 6B illustrates an operational flowchart of 

Smith left the company, the company may not want him to the centralized certificate management system in the present 

be able to sign messages with that key, and therefore, the 65 invention and should be understood in conjunction with 

company would place the certificate on a CRL. When FIGS. 3 and 4. Complied and linked processes of the present 

verifying a signature, one can check the relevant CRL to invention are loaded into a proxy server 502 and cause the 
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proxy server 502 to perform the centralized certificate 
management. It is understood to those skilled in the art that 
a proxy server is a server computer or device, generally 
equipped with sufficient computing power and memory, that 
is loaded with applications that cause the device to service 
other computing devices, hence the applications therein are 
commonly referred to as the server and the device itself is 
referred to herein as server device. The computing devices 
in the present invention are the thin devices that may be 
mobile devices, cellular phones and the Internet appliance 
controllers. 

At 504, the CMM 324 cause the server device 502 to 
maintain a certificate database that is preferably stored in a 
local storage driver in the server device 502. The certificate 
database reserves a fixed number of free certificates signed 
by a CAyet to be associated to a user account or a thin client. 
By mamtaining the ready-to-use free certificates in the 
database, the thin client can get a certificate associated 
thereto without a noticeable time delay, needed computing 
power and memory. At 506, the number of the available free 
certificates is examined. If the number drops, a process to get 
new certificate starts at 510. It should be understood that the 
number of the free certificates in the certificate database is 
dropped sometime because of the certificate updating at 508. 
To ensure that the certificates to be associated with user 
accounts are always valid, the CS library 408 constantly 
updates the free certificates in the certificate database 
according to a certificate updating message received from a 
CA or commonly used repository site. The certificate mes- 
sage may comprise a CRL or insert/delete query, which 
causes the CMM 324 to discard some of the free certificates, 
hence the number of the tree certificates decreases. In any 
case, the CMM 324 tries to maintain the level of the free 
certificates in the certificate database by getting new certifi- 
cates from a CA When the process to get a new certificate 
starts, the CMM 324 first gets a distinguished name for the 
new certificate by calling the DN prefix generator 406 and 
DN generator 404 at 510 and 512 and then calls KP 
generator 412 to generate a pair of private key and public 
key therefor at 514. A certificate request is formed at 516 to 
include a CSR comprising the generated distinguished name 
and the public key. At 518, the CMM 342 communicates 
with the CA using HTTP through the HTTP server 330. 
Upon receiving the certificate request, the CA attests to the 
validity of the public key along with other information by 
signing the certificate and returns a certificate response to 
the CMM 342, thus a signed certificate is created at 520. The 
signed certificate is deposited as a free certificate to the 
certificate database at 522. Logically the number of the free 
certificates is incremented by one and compared with the 
fixed number or threshold. If the incremented number is still 
below the threshold, the process to get a new certificate is 
repeated from 510 till the number of the free certificate in the 
certificate database reaches the threshold. 

Meanwhile me CMM 342 maintains a plurality of user 
accounts at 536, each preferably assigned to one thin client. 
Each of the accounts has one or more certificates exclusively 
associated with the account. When a thin client is activated 
to be serviced by the server device 502, a new user account 
is established therefor at 538. As described before, the user 
account may comprise a device ID, a subscriber ID, user 
info, a certificate list and a private key list. The device ID is 
a piece of information that helps the server device 502 to 
recognize which thin client device it is supposed to service 
and entered when the thin device is activated. The user info 
contains inform regarding the account configuration and the 
services that the thin client needs. The subscriber ID, the 
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certificate list and the private key list are obtained when a 
certificate is associated thereto. At 540, a request to get a 
certificate is made. Upon receiving the request at 542, the 
CMM 342 fetches a valid free certificate from the certificate 

5 database and associates the free certificate to the account. 
The present invention includes a method of self prov i- 
sioning. Specifically, a user may attempt to self-provision as 
i llustrated at step 544 in FIG. 6B. First, the attempts t o 
access a user account by logging onto the account.If the" us er 

10 i s logging m using the thin client device that has a device ID , 
t he access is quickly authenticate. If the user is logging in 
using a connected to m e Internet, then the user must enter 
the current usemame ana password. Alter' obtaining access, 
the user may change the usemame and/or password at step 

15 572. The user can then access the account from the thin 
client or another computing device to request a certificate 
from a user-specified CA at 578. 

After the thin client is activated by establishing th e 
a ccount having one or more certificates in the se rver device 

20 502, it is now possible for the thin client to estaoiisn secu re 
and authenticated communication session with some secu re 
web sites to conduct private communication therebetween. 
At 550, the server device 502 receives a sessi on requestTro m 
Hie thin client to estab lish a secure~ana auinenticated com- 

25 faunication session with a web site ldentinea py a UKL Tlne 
session request comprises the device ID of the thi n cfienTTn 
order for the server device 502 to rec ognize the thin device 
and consequently authorize such request therefrom. At"552, 
t ne de -v^ in is extracted rrom the session request and 

30 compa red with the device ID in the user account. If the 
devices lbs are matched, the thin device is authorized and 
further examined per the corresponding account thereof. At 
544, the certificate in the matched account is fetched to be 
included in the session request that is sent to the desired web 

35 site using HTTPS. At 558, an authentication between the 
thin client and the contacted web site is carried out by 
examining each other's certificate. If each certificate is 
trusted, a session key is resulted therefrom and used to 
encrypt information to be exchanged between the thin client 

40 and the web site, hence a secure and authenticated commu- 
nication is established. 

The present invention has been described in sufficient 
detail with a certain degree of particularity. It is understood 
to those skilled in the art that the present disclosure of 

45 embodiments has been made by way of example only and 
that numerous changes in the arrangement and combination 
of parts as well as steps may be resorted without departing 
from the spirit and scope of the invention as claimed. 
Accordingly, the scope of the present invention is defined by 

50 the appended claims rather than the forgoing description of 
embodiments. 
What is claimed is: 

1. A method for managing centralized certificates in a 
proxy server device for a plurality of thin client devices 
55 coupled to said proxy server through a data network, the 
method comprising: 
maintaining a free certificate database accessible by said 
proxy server, the free certificate database comprising a 
plurality of free certificates issued by a Certificate 
eo Authority (CA) wherein each of the free certificates has 
a corresponding public key and a corresponding private 
key; 

maintaining a user account database wherein said user 
account database is not a thin client device, said user 
65 account database accessible by said proxy server that 
performs communication on behalf of said thin client 
devices, said user account database comprising a plu- 
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rality of user accounts, each of the thin client devices 
associated with one of said user accounts wherein each 
of the user accounts comprises a device ID, a list of 
public and private keys assigned to the user account, 
and a list of certificates assigned to the user account; 
and 

adding a certificate taken out from the free certificate 
database to each of said plurality of user accounts in 
said user account database. 

2. The method as recited in claim 1, further comprises 
receiving a certificate request when the number of free 

certificates in the certificate database is lower than a 
low threshold number; and 
generating a new certificate wherein generating the new 
certificate comprises, 

generating a distinguished name for the new certificate; 

generating a new private key and a new public key for 
the new certificate; 

sending a certificate request to the CA wherein the 
certificate request comprises the generated new pub- 
lic key; 

receiving the new certificate signed by the CA; and 
depositing the new certificate in the free certificate data- 
base. 

3. The method as recited in claim 1, wherein maintaining 
the user account database comprises: 

retrieving one of the free certificates from said free 
certificate database when a new thin client device is 
activated; 

establishing a new user account comprising a new device 
ID and a new subscriber ID; and 

associating the retrieved free certificate and the corre- 
sponding private key and public key with the new user 
account having the new device ID. 

4. The method as recited in claim 1 further comprising: 
updating the free certificates in the free certificate data- 
base upon receiving a certificate updating request. 

5. The method as recited in claim 4 wherein updating the 
free certificates in the free certificate database upon receiv- 
ing the certificate updating request comprises removing an 
invalid certificate from the free certificate database when the 
certificate updating request is a certificate revocation list. 

6. Hie method as recited in claim 1 further comprising: 
updating a user account in the user account database 

associated with a valid device ID upon receiving a 
newly provisioned username and password from a thin 
client device having said valid device ID. 

7. The method as recited in claim 3 wherein the updating 
the free certificates in the certificate database upon receiving 
the certificate updating request comprises deleting a certifi- 
cate from the certificate database according to an insert/ 
delete query in the certificate updating request. 

8. The method as recited in claim 1 wherein a user account 
in the user account database may be accessed from a 
computer coupled to said proxy server through the global 
internet. 
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9. The method as recited in claim 8 wherein a valid 
username and password must be supplied to access said user 
account. 

10. An apparatus for managing centralized certificates in 
a proxy server device for a plurality of thin client devices 
over a data network, the apparatus comprising: 

a certificate manager module for generating free certifi- 
cates; 

a free certificate database coupled to the certificate man- 
ager module for storing the free certificates from the 
certificate manager module until reaching an upper 
threshold; 

a user account database, said user account database not 
stored in a thin client device, said user account database 
accessible by said proxy server device that performs 
communication on behalf of said thin client devices, 
said user account database comprising a plurality of 
user accounts, each of the thin client devices associated 
with one of said user accounts wherein each of the user 
accounts comprises a device ID and a list of certificates 
assigned to the user account; and 

a certificate assigning module for associating one of said 
free certificates in the free certificate database to one of 
said plurality of user accounts in said user account 
database associated with a thin client device. 

11. The apparatus as recited in claim 10 wherein the 
certificate manager module comprises: 

a certificate engine communicating with the certificate 

assigning module; 
a name generator generating a unique name for a new 

certificate; 

a key pair generator generating a private key and a public 

key for the new certificate; and 
a certificate request module for contacting a certificate 

authority for the new certificate, wherein a certificate 

request from said certificate request module comprises 

the public key and the unique name. 

12. The apparatus as recited in claim U, wherein said 
name generator comprises a distinguished name generator 
that combines a timestamp along with a subscriber ID. 

13. The apparatus as recited in claim 10 wherein the 
certificate manager module updates said free certificate 
database upon receiving certificate update request. 

14. The apparatus as recited in claim 13, wherein said 
certificate update request comprises a certificate revocation 
list. 

15. The apparatus as recited in claim 14, wherein said 
certificate update request further comprises an insert/delete 
query. 

16. The apparatus as recited in claim 10 further compris- 
ing: 

a computer network coupled to said proxy server device; 
and 

a client computer coupled to said computer network, said 
client computer able to access a user account in said 
user account database. 
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